What is a GDPR Data Retention Policy and How Should it be Implemented?

If your business is subject to the EU´s General Data Protection Regulation, one of the first tasks to address is the implementation of a GDPR data retention policy that advises “data subjects” what information is being collected, who it is being shared with, what it is being used for, and how long it will be retained.

Creating a GDPR data retention policy may sound straightforward but, in practice, it can be extremely complicated.

Under the 1995 EU Data Protection Directive, businesses operating in the European Union were not supposed to retain data “for longer than is necessary for the purposes for which the data were collected”. This principle was rarely applied, and—as it formed part of a “Directive” rather than a “Regulation”—it was never enforced.

With the introduction of the EU´s General Data Protection Regulation (GDPR), the landscape changes completely. Not only do businesses operating in the European Union have to implement a GDPR data retention policy, but any business that collects, processes or stores the personal information of an EU data subject also has to implement a GDPR data retention policy.

The GDPR data retention policy has to form part of a publicly-accessible Privacy Policy that clearly indicates:

The aims and objectives of the policy

The scope of the policy

Who is collecting the data

The legal basis for processing the data

Who the data will be shared with

How the integrity of data is safeguarded

The Rights of Individuals

Periods of data retention

The responsibilities of individuals

How the policy is enforced

How the data subject can complain

Issues with Creating a GDPR Data Retention Policy

Creating a GDPR data retention policy may sound straightforward but, in practice, it can be extremely complicated. You may have noticed that, in the above list of bullet points, we included the line “periods of data retention” in the plural rather than in the singular. This is because, although a business may no longer have a need for the data “for the purposes for which the data were collected”, the data may have to be retained for regulatory or legal purposes.

For this reason, businesses need to identify what types of data are collected from EU data subjects. They should ensure only the minimum amount of personal information is collected to meet the legal purpose for processing the data, and determine—if necessary—how different elements of the data are stored in order to facilitate Subject Access Requests and regulatory/legal requirements, and to enable the timely deletion of data when regulatory retention periods expire.

A process for the timely deletion of data also has to be designed and documented. If a business is a Data Controller and subcontracts data processing to a third party, due diligence needs to be conducted on the third party to ensure they too have a GDPR data retention policy. If the data processing is done in-house, but via a third party´s software application, an agreement still needs to be put in place to ensure compliance with the General Data Protection Regulation.

The Benefits of Complying with this Element of GDPR

Compliance with GDPR is not an option if your business collects, processes, or stores the personal information of an EU data subject, but there are significant benefits of complying with this element of GDPR. By conducting an audit of your data and deleting any that is superfluous to your needs, you save on storage space and—if your data is maintained in the cloud—you reduce your cloud costs.

If you have organized your data appropriately, you will save time responding to Subject Access Requests and be able to better resolve requests when data subjects exercise the Right to be Forgotten or the Right of Portability. The audit will also help you identify inaccurate, out-of-date or redundant data, and data that is at risk of misappropriation due to security issues.

Contact Us

We care about your privacy and confidentiality. By submitting your information in this form you are agreeing to the terms listed in our Privacy Policy and Cookie Policy. CloudHealth will use the information you provide to contact you about the products and services you’ve requested.